Navigation

You can also pass the token as an attribute in the body of an application/json request.
However, since the body is meaningless in a GET request, this is mostly useful for
protecting routes that only accept POST, PATCH, or DELETE methods.

That is to say, the GET method will become essentially unauthorized in any protected route
if you only use this lookup method.

If you decide to use JWTs in the request body, here is an example of how it might look:

fromflaskimportFlask,jsonify,requestfromflask_jwt_extendedimport(JWTManager,jwt_required,create_access_token,)app=Flask(__name__)# IMPORTANT: Body is meaningless in GET requests, so using json# as the only lookup method means that the GET method will become# unauthorized in any protected route, as there's no body to look for.app.config['JWT_TOKEN_LOCATION']=['json']app.config['JWT_SECRET_KEY']='super-secret'# Change this!jwt=JWTManager(app)@app.route('/login',methods=['POST'])deflogin():username=request.json.get('username',None)password=request.json.get('password',None)ifusername!='test'orpassword!='test':returnjsonify({"msg":"Bad username or password"}),401access_token=create_access_token(identity=username)returnjsonify(access_token=access_token)# The default attribute name where the JWT is looked for is `access_token`,# and can be changed with the JWT_JSON_KEY option.# Notice how the route is unreachable with GET requests.@app.route('/protected',methods=['GET','POST'])@jwt_requireddefprotected():returnjsonify(foo='bar')if__name__=='__main__':app.run()